question

sachal-malick6856 avatar image
sachal-malick6856 asked ·

OAuth Authentication Code Flow: change variable name in authenticated response URL containing code from "code" to something else

I am building a RingCentral application on a server that for security purposes will not take any POST/GET variables other than a specified one.  When I try to authenticate, the response url which contains the code as a query string variable with the variable name "code", causes my server to stop the script from running.  I would like to change the variable name in the response url that contains the authorization code.  Is this possible? Can it be done using response_type?  RingCentral specifies on the API that response_type must be set to "code" so I'm not sure.  Any advice would be highly appreciated.
topic-default
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

John Wang avatar image
John Wang answered ·
The parameter named "code" is a required field in the OAuth 2.0 standard, IETF RFC 6749, so it is commonly used and accepted.

https://tools.ietf.org/html/rfc6749#section-4.1.2

The behavior of your server sounds odd. Is this logic part of your own application code or a framework you are using? Do you know why it does this and whether the logic be changed?
Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

sachal-malick6856 avatar image
sachal-malick6856 answered ·
The logic is part of a framework I am using and it cannot be changed.  I imagine it is to protect the server from attacks hidden in GET/POST requests.
What are my options?
3 comments Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

What framework to you use? I'm curious if others will run into this same issue.

One option you can use is to redirect to a server on a different hostname and then retrieve the authorization code from the URL on the client-side. You can then exchange the authorization code for an access token on the browser side or possibly send then auth code to the server to do the exchange (so the access token isn't exposed on the browser).

For example, if you wanted to, you could set up a free Github pages website say, https://myuser.github.io and redirect there to have the browser end up with  https://myuser.github.io?code=rc_auth_code, then use the browser client-side JS to extract the code and then use it either in the browser to get an access token or possibly transfer to your server to do the exchange.

You can see a demo of client-side processing in the "public/index.html" page client-side JS code here:

https://github.com/ringcentral/ringcentral-demos-oauth/tree/master/javascript
1 Like 1 · ·
Hi John,

Thanks for your reply.  That is the solution I ended up going with thought i was hoping to avoid it.
You can follow up with me at sachal.malick@studyswap.org if you're curious about my app.
1 Like 1 · ·
Your site looks very interesting and I will certainly take you up on your offer.

Regarding hosting a separate service for the callback, some services will allow hosting the callback on their own domain so we can look into that as well.
0 Likes 0 · ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.